Start of Content Area

Background documentation Client Certificates Locate the document in its SAP Library structure

As an alternative to using user ID and passwords when using Web applications with the SAP Web AS ABAP, users can also present X.509 client certificates for user authentication. In this case, user authentication takes place on the Web server using the Secure Sockets Layer (SSL) protocol and no transfer of passwords is necessary. User authorizations apply according to the authorization concept in the SAP system.

Note

You can also use client certificates with the SAP Web Application Server Java or via the Internet Transaction Server (ITS). To be able to use certificates for authentication via the ITS, the SAP system used must be Release 4.5B or higher.

Security Measures When Using Client Certificates

When using X.509 client certificates and SSL for user authentication, you should note the following:

·        Choose a trusted CA.

Your users need to possess valid certificates signed by a trusted CA. You can either establish your own CA and distribute certificates to your users yourself, or you can rely on a Trust Center service. The CA you choose to use must be designated as a trusted CA on the Web server.

·        When using SSL with the ITS, then use SNC for the WGate / AGate / SAP system connections.

Because user authentication takes place on the Web server and not in the SAP System, you need to use SNC to guarantee data privacy and integrity for the communication path between the WGate and the SAP System. For more information, see Structure linkSecure Network Communications (SNC).

·        Inform your users about how to protect their private key.

In this scenario, user authentication takes place using the SSL protocol, which uses public-key technology. Each user needs to possess a public-key pair. The public-key is contained in the X.509 client certificate and can be made public. However, the user’s private key needs to be kept safe. The possibilities available for securing the private key depend on the Web browser you use. (For example, you may be able to protect it with a password or you may be able to use smart cards.) If the private key is stored on the front end client, your users should use screen savers protected with a password.

·        If users share front ends, then note the following:

As long as the operating system separates and protects user data at the operating system level (for example, Windows NT), then the private key stored on the front end is protected by the operating system.

However, when using an operating system that does not separate user data (for example, Windows 95), then you should not store the private key on the front end.

See also:

·        SAP Web AS ABAP :

¡        Security Measures When Using Client Certificates

¡        Structure linkUsing X.509 Client Certificates

·        SAP Web AS Java:

¡        Structure linkUsing Client Certificates for User Authentication

·        ITS:

¡        Authenticating Named Users Using X.509 Client Certificates

¡        X.509 Certificate Logon via the ITS at http://service.sap.com/security

 

 

End of Content Area